Senior GRC Analyst

Sargent & Lundy, L.L.C.•Chicago, IL

53d•$100,010 - $144,190•Hybrid

About The Position

Sargent & Lundy is a leading consulting engineering firm specializing in the power and energy sectors. Since 1891, we have provided comprehensive engineering, design, and consulting services for both traditional and renewable power generation, grid modernization, nuclear power, and beyond. Our mission is to help clients achieve their energy goals effectively by leveraging advanced technologies and adopting sustainable practices. Role Overview Sargent & Lundy is seeking a proactive, data-driven, and detail-oriented Senior GRC Analyst to lead key pillars of Governance, Risk, and Compliance (GRC) with a primary emphasis on enterprise Information Security, TPRM, contract governance, and cross-functional coordination with Legal and Procurement. You will own cyber training, communications, and phishing simulations, and drive measurable outcomes through strong data analysis and dashboard reporting (KPIs/KRIs). You will support audit readiness and regulatory alignment across frameworks such as ISO 27001, SOC 2, NIST CSF/171, and CMMC. You will also guide privacy-aligned practices (e.g., GDPR) and lead effective policy implementation through clear procedures, controls, and adoption plans.

Requirements

Bachelor's degree in computer science, information systems, or related field; or equivalent professional experience.
5+ years in GRC or related domains, including leadership/ownership of programs or workstreams.
Strong understanding of ISO 27001, SOC 2, NIST CSF; experience with CMMC readiness.
Practical knowledge of privacy and GDPR with the ability to implement policy via procedures, controls, communications, and training.
Proven expertise in risk management, compliance operations, policy/standards, vendor risk, resilience, security training/awareness, and audit readiness.
Advanced data analysis skills with the ability to design and maintain KPI/KRI dashboards, translate data into insights, and present executive-ready reporting.
Familiarity with security technologies across on-prem and cloud environments; strong problem-solving and systems thinking.

Nice To Haves

Professional certifications (e.g., CISSP, CISM, CRISC) are advantageous.

Responsibilities

Lead and mature the Third-Party Risk Management (TPRM) program: Develop & manage vendors inventory, conduct risk reviews of third-party vendors, define tiering/scoping, evaluate controls, track obligations/findings through closure, and standardize evidence retention in collaboration with Legal and Procurement.
Drive strong contract management with Legal and Procurement: Standardize security and privacy clauses, review S&L client contracts, negotiate requirements, and ensure obligations are tracked, owned, and reported.
Own the security awareness & training program end-to-end: Develop curriculum, coordinate communications, execute phishing simulations, analyze outcomes, and improve effectiveness using KPI/KRI dashboards and trend reporting.
Administer and optimize GRC platforms and workflows (e.g., Hyperproof) to maintain visibility into risks, assessments, findings, and audit deliverables; establish SLAs and performance indicators.
Develop risk management & risk assessment practice, conduct risk assessments, develop and manage risk register with clear tracking of risks and accountability.
Advance security governance by drafting, maintaining, and operationalizing policies, standards, procedures, and roles & responsibilities; lead change management and communications to ensure policy implementation and adoption.
Coordinate evidence and execute control readiness for ISO 27001, SOC 2, NIST CSF, CMMC (gap analysis, control testing, POA&Ms), and support automation that reduces workload.
Support privacy-aligned practices (e.g., GDPR): contribute to data classification/handling standards, data mapping/records of processing, privacy-by-design reviews, incident/breach alignment, and retention practices.
Oversee governance for Business Continuity and Disaster Recovery and Backup & Recovery in partnership with IT (plan maintenance, exercises, lessons learned, reporting).
Lead cross-functional coordination with IT, HR, Finance, Legal, and business teams to embed compliance into operations and accelerate remediation of findings.
Manage security tasks/projects and report progress via standardized dashboards, scorecards, and executive-ready narratives, highlighting risk, performance, and trends. - Define, publish, and automate metrics & management reporting (KPIs/KRIs) for training effectiveness, phishing trends, vendor risk, audit readiness, privacy/policy adoption, and control performance.
Continuously upgrade information security skills, contribute to Information Security team skill development with playbooks, enablement sessions, and knowledge-sharing.
Support government contract compliance reviews and tracking, ensuring obligations are documented, monitored, and evidenced.